Hello list, today, Stefan reached out to me via phone and explained that /var/ipfire/ipblocklist/ should not be chown'ed to "nobody", since this would mean write access to the "sources" file, a thing neither needed nor desirable. Instead, he recommended touching a "modified" file in the same folder and granting "nobody" write access to it. While testing, I noticed the same thing is necessary for a "settings" file. I will submit a second version of the patch in due course. Best, Peter Müller > Fixes: #12917 > Signed-off-by: Peter Müller > --- > config/rootfiles/core/170/update.sh | 3 +++ > lfs/ipblocklist-sources | 4 ++-- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh > index b6b66f3f1..c7dc09946 100644 > --- a/config/rootfiles/core/170/update.sh > +++ b/config/rootfiles/core/170/update.sh > @@ -164,6 +164,9 @@ ldconfig > mkdir -pv /var/lib/ipblocklist > chown nobody:nobody /var/lib/ipblocklist > > +# Ensure permissions for /var/ipfire/ipblocklist are set properly > +chown -Rv nobody:nobody /var/ipfire/ipblocklist > + > # Rebuild fcrontab from scratch > /usr/bin/fcrontab -z > > diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources > index 30b9e94a4..87bd95cca 100644 > --- a/lfs/ipblocklist-sources > +++ b/lfs/ipblocklist-sources > @@ -47,7 +47,7 @@ b2 : > > $(TARGET) : > @$(PREBUILD) > - mkdir -p /var/ipfire/ipblocklist > - install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist > + install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist > + install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist > > @$(POSTBUILD)